Virtumondo...

[SLynch89]

Here is the combofix log:

ComboFix 07-11-08.1 - Owner 2007-11-14 18:06:01.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.175 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\Owner\pdf.exe
C:\WINDOWS\Fonts\Setup.exe
C:\WINDOWS\system32\fccdayy.dll
C:\WINDOWS\system32\hkwvoiwj.dll
C:\WINDOWS\system32\hmnnygna.dll
C:\WINDOWS\system32\jkhhi.dll
C:\WINDOWS\system32\kcdqgkmk.dll
C:\WINDOWS\system32\uisbbuwp.dll
C:\WINDOWS\system32\vbzip10.dll
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\BitTorrent
C:\Documents and Settings\Owner\Application Data\BitTorrent\dht.dat
C:\Documents and Settings\Owner\Application Data\BitTorrent\resume.dat
C:\Documents and Settings\Owner\Application Data\BitTorrent\resume.dat.old
C:\Documents and Settings\Owner\Application Data\BitTorrent\settings.dat
C:\Documents and Settings\Owner\Application Data\BitTorrent\settings.dat.old
C:\Documents and Settings\Owner\Application Data\BitTorrent\Warhammer 40K Collection.torrent
C:\Documents and Settings\Owner\Application Data\LimeWire
C:\Documents and Settings\Owner\Application Data\LimeWire\414splashfree.png
C:\Documents and Settings\Owner\Application Data\LimeWire\createtimes.cache
C:\Documents and Settings\Owner\Application Data\LimeWire\fileurns.bak
C:\Documents and Settings\Owner\Application Data\LimeWire\fileurns.cache
C:\Documents and Settings\Owner\Application Data\LimeWire\filters.props
C:\Documents and Settings\Owner\Application Data\LimeWire\gnutella.net
C:\Documents and Settings\Owner\Application Data\LimeWire\installation.props
C:\Documents and Settings\Owner\Application Data\LimeWire\library.dat
C:\Documents and Settings\Owner\Application Data\LimeWire\limewire.props
C:\Documents and Settings\Owner\Application Data\LimeWire\mojito.props
C:\Documents and Settings\Owner\Application Data\LimeWire\questions.props
C:\Documents and Settings\Owner\Application Data\LimeWire\responses.cache
C:\Documents and Settings\Owner\Application Data\LimeWire\simpp.xml
C:\Documents and Settings\Owner\Application Data\LimeWire\spam.dat
C:\Documents and Settings\Owner\Application Data\LimeWire\tables.props
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme.lwtp
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\01_star.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\02_star.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\03_star.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\04_star.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\05_star.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\chat.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\forward_up.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\kill.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\kill_on.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\logo.png
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\notsearching.png
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\pause_up.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\play_dn.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\play_up.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\question.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\searching.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\splash.png
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\splashpro.png
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\stop_up.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\theme.txt
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\version.txt
C:\Documents and Settings\Owner\Application Data\LimeWire\themes\windows_theme\warning.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\ttree.cache
C:\Documents and Settings\Owner\Application Data\LimeWire\version.xml
C:\Documents and Settings\Owner\Application Data\LimeWire\xml\data\audio.sxml
C:\Documents and Settings\Owner\Application Data\LimeWire\xml\data\delete_me
C:\Documents and Settings\Owner\Application Data\LimeWire\xml\misc\application.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\xml\misc\audio.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\xml\misc\document.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\xml\misc\image.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\xml\misc\video.gif
C:\Documents and Settings\Owner\Application Data\LimeWire\xml\schemas\application.xsd
C:\Documents and Settings\Owner\Application Data\LimeWire\xml\schemas\audio.xsd
C:\Documents and Settings\Owner\Application Data\LimeWire\xml\schemas\document.xsd
C:\Documents and Settings\Owner\Application Data\LimeWire\xml\schemas\image.xsd
C:\Documents and Settings\Owner\Application Data\LimeWire\xml\schemas\video.xsd
C:\Documents and Settings\Owner\Application Data\uTorrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Cossacks European Wars.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Cossacks the Art of War.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\dht.dat
C:\Documents and Settings\Owner\Application Data\uTorrent\dht.dat.old
C:\Documents and Settings\Owner\Application Data\uTorrent\Great Invasions [Multilenguaje-EN-SP-FR-DE][www.pctorrent.com].torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Great.Invasions-RELOADED.[www.extreme-torrent.dl.am].torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Heroes of Might and Magic 3.rar.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\resume.dat
C:\Documents and Settings\Owner\Application Data\uTorrent\resume.dat.old
C:\Documents and Settings\Owner\Application Data\uTorrent\rss.dat
C:\Documents and Settings\Owner\Application Data\uTorrent\settings.dat
C:\Documents and Settings\Owner\Application Data\uTorrent\settings.dat.old
C:\Documents and Settings\Owner\Application Data\uTorrent\SuperPower 2[2CDS][english][www.pctorrent.com].torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\utorrent.lng
C:\Documents and Settings\Owner\Application Data\uTorrent\Warhammer 40,000 - Dawn of War.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Warhammer.1.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Warhammer.2.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Warhammer.3.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Warhammer.4.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Warhammer.5.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\warhammer.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\WORMS-Rar.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Worms 2.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Worms Armageddon.1.torrent
C:\Documents and Settings\Owner\Application Data\uTorrent\Worms Armageddon.torrent
C:\Documents and Settings\Owner\pdf.exe
C:\Program Files\BitTorrent
C:\Program Files\Program Files
C:\Program Files\Program Files\RemovalPro\InCode Solutions\RemoveIT Pro v4-Trial\files.dat
C:\Program Files\Program Files\RemovalPro\InCode Solutions\RemoveIT Pro v4-Trial\INSTALL.LOG
C:\Program Files\Program Files\RemovalPro\InCode Solutions\RemoveIT Pro v4-Trial\list.htm
C:\Program Files\Program Files\RemovalPro\InCode Solutions\RemoveIT Pro v4-Trial\main.ico
C:\Program Files\Program Files\RemovalPro\InCode Solutions\RemoveIT Pro v4-Trial\Readme.txt
C:\Program Files\Program Files\RemovalPro\InCode Solutions\RemoveIT Pro v4-Trial\RegBase.rgk
C:\Program Files\Program Files\RemovalPro\InCode Solutions\RemoveIT Pro v4-Trial\removeit.exe
C:\Program Files\Program Files\RemovalPro\InCode Solutions\RemoveIT Pro v4-Trial\UNWISE.EXE
C:\WINDOWS\Fonts\Setup.exe
C:\WINDOWS\system32\awvtu.dll
C:\WINDOWS\system32\fccdayy.dll
C:\WINDOWS\system32\hmnnygna.dll
C:\WINDOWS\system32\kcdqgkmk.dll
C:\WINDOWS\system32\utvwa.ini
C:\WINDOWS\system32\utvwa.ini2
C:\WINDOWS\system32\vbzip10.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-14 to 2007-11-14 )))))))))))))))))))))))))))))))
.

2007-11-13 15:14 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-13 14:54 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-11-13 14:45 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AdwareAlert
2007-11-13 00:02 <DIR> d--h----- C:\WINDOWS\PIF
2007-11-12 17:49 <DIR> d-------- C:\Program Files\GiPo@Utilities
2007-11-12 17:49 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared
2007-11-12 16:30 <DIR> d-------- C:\Program Files\RemoveITPro
2007-11-12 15:22 <DIR> d-------- C:\RemoveITPro
2007-11-12 01:24 <DIR> d-------- C:\Documents and Settings\Administrator.NEWROOMPC\Application Data\InterTrust
2007-11-12 01:23 <DIR> d-------- C:\Documents and Settings\Administrator.NEWROOMPC\WINDOWS
2007-11-12 01:23 <DIR> d-------- C:\Documents and Settings\Administrator.NEWROOMPC\Application Data\VERITAS
2007-11-12 01:23 <DIR> d-------- C:\Documents and Settings\Administrator.NEWROOMPC\Application Data\Symantec
2007-11-12 01:23 <DIR> d-------- C:\Documents and Settings\Administrator.NEWROOMPC\Application Data\Share-to-Web Upload Folder
2007-11-08 23:07 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Symantec
2007-11-07 05:11 <DIR> d--h----- C:\Program Files\Zero G Registry
2007-11-07 05:11 <DIR> d-------- C:\Program Files\Project64 v1.5
2007-11-07 05:11 <DIR> d-------- C:\Documents and Settings\Owner\Shared
2007-11-07 05:11 <DIR> d-------- C:\Documents and Settings\Owner\Incomplete
2007-10-31 16:24 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-10-20 19:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-14 06:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-12 04:06 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-11-12 02:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-09 06:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-07 10:11 --------- d-----w C:\Program Files\Google
2007-11-06 19:39 --------- d-----w C:\Program Files\AtBackup
2007-11-06 19:20 --------- d-----w C:\Program Files\Norton AntiVirus
2007-11-05 18:38 --------- d-----w C:\Program Files\iTunes
2007-10-31 21:31 --------- d-----w C:\Program Files\iPod
2007-10-31 21:28 --------- d-----w C:\Program Files\QuickTime
2007-10-28 18:50 --------- d-----w C:\Program Files\Java
2007-10-25 20:08 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-21 01:11 --------- d-----w C:\Program Files\Picasa2
2007-10-21 00:59 --------- d-----w C:\Program Files\Apple Software Update
2007-10-20 17:59 --------- d-----w C:\Program Files\Gamesgate Games
2007-10-07 18:35 --------- d-----w C:\Program Files\TripleA
2007-10-07 16:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2006-03-01 22:27 75,200 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 18:04]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-18 01:11]
"KBD"="C:\HP\KBD\KBD.EXE" [2001-07-06 23:56]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-05-09 10:01]
"DDCM"="C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" [2002-06-08 03:18]
"DDCActiveMenu"="C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" [2002-06-08 03:20]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2001-12-19 01:39]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2002-05-15 05:29]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2002-05-15 05:20]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-05-22 01:28]
"LTMSG"="LTMSG.exe" [2003-07-14 10:52 C:\WINDOWS\ltmsg.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 17:35]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 17:32]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-04-03 19:07]
"LiveState Recovery 3.0"="C:\Program Files\Symantec\LiveState Recovery\Desktop 3.0\Agent\VProTray.exe" [2004-12-07 16:59]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-06-14 18:39]
"nwiz"="nwiz.exe" [2002-05-03 19:06 C:\WINDOWS\system32\nwiz.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]
Event Reminder.lnk - C:\pmw\PMREMIND.EXE [1997-08-06 11:21:00]
Palm Registration.lnk - C:\Palm\register.exe [2005-08-08 12:36:14]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DataViz Inc Messenger.lnk - C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe [2006-01-06 19:52:03]
Event Planner Reminders Tray Icon.lnk - C:\Sierra\Planner\PLNRnote.exe [2005-02-26 09:28:39]
HOTSYNCSHORTCUTNAME.lnk - C:\Palm\Hotsync.exe [2004-06-09 14:27:34]
NDAS Device Management.lnk - C:\Program Files\NDAS\System\ndasmgmt.exe [2007-01-17 18:18:22]


.
Contents of the 'Scheduled Tasks' folder
"2007-11-13 19:45:26 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.exe
"2007-11-08 01:39:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-14 22:50:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-11-10 01:01:12 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Owner.job"
- C:\PROGRA~1\NORTON~1\Navw32.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-14 18:23:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-14 18:34:47 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-14 11:38
.
--- E O F ---

[SLynch89]

And here is the the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:43:30 PM, on 2007-11-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\NDAS\System\ndassvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Sierra\Planner\PLNRnote.exe
C:\Program Files\NDAS\System\ndasmgmt.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Symantec\LiveState Recovery\Desktop 3.0\Agent\VProSvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\Sean's ROMs\IWillKillVundo.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [LiveState Recovery 3.0] "C:\Program Files\Symantec\LiveState Recovery\Desktop 3.0\Agent\VProTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - S-1-5-18 Startup: AutoPlay.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoPlay.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Startup: Palm Registration.lnk = C:\Palm\register.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Palm\Hotsync.exe
O4 - Global Startup: NDAS Device Management.lnk = C:\Program Files\NDAS\System\ndasmgmt.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\RRIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1109293224781
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1122693317453
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec LiveState Recovery - Symantec Corporation - C:\Program Files\Symantec\LiveState Recovery\Desktop 3.0\Agent\VProSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 11798 bytes

[km2357]

Print out these instructions or save them into a notepad on your desktop, because you will not have internet access while in Safe Mode.


Step # 1 Remove WildTangent

I see you are using Wild Tangent. It is not malware, but is sometimes thought to bring malware along. Wild Tangent is a video game software company specializing in online games. It has even made a partnership with AOL to include itself as part of the AOL Instant Messenger for their AIM games section. The WildTangent Web Driver is their technology that allows you to play 3D games over the Internet. Although it’s not technically considered spyware, it does have built in components to update itself and gather information about the computer system including

1. Operating System Version
2. CPU Type and Speed
3. Memory Amount
   Video Card type and Driver Version
4. Sound Card type and Driver Version
5. DirectX Version
   Location that the Web Driver was installed from
6. It is also a MAJOR resource hog.

For more information, see WildTangent Removal Instructions and Help and Inside Wild Tangent-Delivering High-End 3-D Content To A Web Site Near You.
Unless you are an extremely avid games player, I recommend you uninstall Wild Tangent: To uninstall Wild Tangent:

1. Click Start, point to Settings, and then click Control Panel.
2. In Control Panel, double-click Add or Remove Programs.
3. In Add or Remove Programs, highlight
   
   WildTangent Channel Manager
   
   WildTangent Web Driver
   
   click Remove.
   
4. Close the Add or Remove Programs and the Control Panel windows.

Step # 2 Remove Viewpoint Media Player

You have Viewpoint Media Player installed on your system. This program is not malware but it is foistware in that it is usually installed without the user's knowledge or approval, and for this reason I recommend you remove it. If you actually use this program, I recommend you try using safe and free alternatives such as VLC Media Player.
To remove, open Start->Control Panel->Add/Remove Programs find Viewpoint Media Player and select Remove.



Step # 3 Download AVG Anti-Spyware

Download the trial version of AVG Anti-Spyware from here and install it. When the program has been installed, and you click the Finish button, AVG Anti-Spyware will open.

If the program does not automatically update itself during installation, or you are unsure whether it has done so, please do the following:

• Click the Update icon at the top and under Manual Update click the Start update button.
• The program will either update or inform you that no update was available.
• It is essential that you get the update - keep trying until successful. (Note: If you have problems getting the update, you can download an installer for the full database from here (save it on your desktop). Once you have downloaded the installer, make sure that AVG Anti-Spyware is closed and then double-click on avgas-signatures-full-current.exe to install the database).

Please set up the program as follows:

• Click the Shield icon at the top and under Resident shield is... click active. This should now
  change to inactive.
• Click the Update icon and untick the automatic update option.
• Click on Scanner on the toolbar.
• Click on the Settings tab.
  
  • Under How to act? - make sure that Quarantine is selected.
  • Under How to scan? - All checkboxes should be ticked.
  • Under Possibly unwanted software - All checkboxes should be ticked.
  • Under Reports - Select Do not automatically generate reports.
  • Under What to scan? - Select Scan every file.

Close all open windows.
Do not run a scan yet.



Step # 4: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Step # 5: Boot into Safe Mode

You can go in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.



Step # 6: Remove Hijackthis Entries

• Run HijackThis
• Click on the Scan button
• Put a check beside all of the items listed below (if present):
  
  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
  
  O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
  
  O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
  
  If an Administrator has not set a policy restricting access to Internet Explorer settings and you have not configured any software such as Spybot S & D or a similar program to prevent changing Internet Explorer settings, then you can also fix these O6 entries with HijackThis:
  
  O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
  
• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

Step # 7 Run AVG Anti-Spyware

• Click on Scanner on the toolbar.
• Click on Complete System Scan to start the scan process.
• Let the program scan your computer.
• When the scan has finished, follow the instructions below:
  
  • Make sure that Set all elements to: shows Quarantine
  • Important: Click on the Apply all Actions button (*** This must done before saving the report ***)
  • When the program has finished, it will display the message All actions have been applied.
  • Then click the Save Scan Report button.
  • Click the Save Report as button.
  • Save the report to your Desktop.
• Right-click the AVG Tray Icon and select Exit.
• Reboot your computer.
• Now copy the report back to this topic.

Step # 8 Post Logs

In your next post/reply, I'd like to see the following:

• 1. AVG AntiSpyware report
  2. A fresh HiJackThis Log

If you can't fit all the logs into one post/reply, then use multiple posts/replies to get all the logs in.

[km2357]

SLynch89?

Do you still need help? If any of my instructions are unclear, please let me know.

[tashi]

SLynch89, this topic has been archived due to inactivity.

As it has been 10 days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened.

If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.

Thank you km2357.